On Thu, May 7, 2015 at 1:45 PM, Gene Heskett <ghesk...@wdtv.com> wrote:
> On Thursday 07 May 2015 10:41:55 Mark Wendt wrote: > [...] > > Can you post your sshd_config from the lathe machine, and also what > > you see from ssh -Y -vvv <lathe_machine>? > > > a copy paste, screen at a time of lathe/etc/ssh/sshd_config: > ============================ > # Package generated configuration file > # See the sshd_config(5) manpage for details > > # What ports, IPs and protocols we listen for > Port 22 > # Use these options to restrict which interfaces/protocols sshd will bind > to > #ListenAddress :: > #ListenAddress 0.0.0.0 > Protocol 2 > # HostKeys for protocol version 2 > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > #HostKey /etc/ssh/ssh_host_ecdsa_key > #Privilege Separation is turned on for security > UsePrivilegeSeparation yes > > # Lifetime and size of ephemeral version 1 server key > KeyRegenerationInterval 3600 > ServerKeyBits 768 > > # Logging > SyslogFacility AUTH > LogLevel INFO > > # Authentication: > LoginGraceTime 120 > PermitRootLogin yes > StrictModes yes > > RSAAuthentication yes > PubkeyAuthentication yes > #AuthorizedKeysFile %h/.ssh/authorized_keys > > # Don't read the user's ~/.rhosts and ~/.shosts files > IgnoreRhosts yes > # For this to work you will also need host keys in /etc/ssh_known_hosts > RhostsRSAAuthentication no > # similar for protocol version 2 > HostbasedAuthentication no > # Uncomment if you don't trust ~/.ssh/known_hosts for > RhostsRSAAuthentication > #IgnoreUserKnownHosts yes > > # To enable empty passwords, change to yes (NOT RECOMMENDED) > PermitEmptyPasswords no > > # Change to yes to enable challenge-response passwords (beware issues > with > # some PAM modules and threads) > ChallengeResponseAuthentication no > # Change to no to disable tunnelled clear text passwords > #PasswordAuthentication yes > > # Kerberos options > #KerberosAuthentication no > #KerberosGetAFSToken no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes > > X11Forwarding yes > X11DisplayOffset 10 > PrintMotd no > PrintLastLog yes > TCPKeepAlive yes > #UseLogin no > > #MaxStartups 10:30:60 > #Banner /etc/issue.net > > # Allow client to pass locale environment variables > AcceptEnv LANG LC_* > > Subsystem sftp /usr/lib/openssh/sftp-server > > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will > # be allowed through the ChallengeResponseAuthentication and > # PasswordAuthentication. Depending on your PAM configuration, > # PAM authentication via ChallengeResponseAuthentication may bypass > # the setting of "PermitRootLogin without-password". > # If you just want the PAM account and session checks to run without > # PAM authentication, then enable this but set PasswordAuthentication > # and ChallengeResponseAuthentication to 'no'. > UsePAM yes > > ====================================== > > log out, log back in with all the -vvv's > > gene@coyote:~$ ssh -Y lathe -vvv > OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 19: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to lathe [192.168.71.5] port 22. > debug1: Connection established. > debug1: identity file /home/gene/.ssh/id_rsa type -1 > debug1: identity file /home/gene/.ssh/id_rsa-cert type -1 > debug1: identity file /home/gene/.ssh/id_dsa type -1 > debug1: identity file /home/gene/.ssh/id_dsa-cert type -1 > debug1: identity file /home/gene/.ssh/id_ecdsa type -1 > debug1: identity file /home/gene/.ssh/id_ecdsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version > OpenSSH_6.0p1 Debian-4+deb7u2 > debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2 > debug2: fd 3 setting O_NONBLOCK > debug3: load_hostkeys: loading entries for host "lathe" from > file "/home/gene/.ssh/known_hosts" > debug3: load_hostkeys: found key type ECDSA in > file /home/gene/.ssh/known_hosts:3 > debug3: load_hostkeys: loaded 1 keys > debug3: order_hostkeyalgs: prefer hostkeyalgs: > ecdsa-sha2-nistp256-cert-...@openssh.com, > ecdsa-sha2-nistp384-cert-...@openssh.com, > ecdsa-sha2-nistp521-cert-...@openssh.com > ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > > ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: > ecdsa-sha2-nistp256-cert-...@openssh.com, > ecdsa-sha2-nistp384-cert-...@openssh.com, > ecdsa-sha2-nistp521-cert-...@openssh.com > ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, > ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com, > ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, > rijndael-...@lysator.liu.se > debug2: kex_parse_kexinit: > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, > rijndael-...@lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac...@openssh.com > ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160, > hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac...@openssh.com > ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160, > hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,z...@openssh.com,zlib > debug2: kex_parse_kexinit: none,z...@openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > > ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, > rijndael-...@lysator.liu.se > debug2: kex_parse_kexinit: > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, > rijndael-...@lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac...@openssh.com > ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160, > hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac...@openssh.com > ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160, > hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,z...@openssh.com > debug2: kex_parse_kexinit: none,z...@openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-ctr hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: Server host key: RSA > 1a:75:8f:b3:aa:d7:83:bd:7a:5e:d3:dc:82:76:9c:4f > debug3: load_hostkeys: loading entries for host "lathe" from > file "/home/gene/.ssh/known_hosts" > debug3: load_hostkeys: found key type ECDSA in > file /home/gene/.ssh/known_hosts:3 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host "192.168.71.5" from > file "/home/gene/.ssh/known_hosts" > debug3: load_hostkeys: found key type ECDSA in > file /home/gene/.ssh/known_hosts:4 > debug3: load_hostkeys: loaded 1 keys > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle > attack)! > It is also possible that a host key has just been changed. > The fingerprint for the RSA key sent by the remote host is > 1a:75:8f:b3:aa:d7:83:bd:7a:5e:d3:dc:82:76:9c:4f. > Please contact your system administrator. > Add correct host key in /home/gene/.ssh/known_hosts to get rid of this > message. > Offending ECDSA key in /home/gene/.ssh/known_hosts:3 > RSA host key for lathe has changed and you have requested strict > checking. > Host key verification failed. > ============================== > > Ooookaaaayyy, why the hell didn't it say tat in the first place? > Killed that key here on this machine, the the -vvv got a different error > and skipped the login: > RSA key fingerprint is 1a:75:8f:b3:aa:d7:83:bd:7a:5e:d3:dc:82:76:9c:4f. > Are you sure you want to continue connecting (yes/no)? > Host key verification failed. > > Without the -vvv > gene@coyote:~$ ssh -Y lathe > The authenticity of host 'lathe (192.168.71.5)' can't be established. > RSA key fingerprint is 1a:75:8f:b3:aa:d7:83:bd:7a:5e:d3:dc:82:76:9c:4f. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added 'lathe' (RSA) to the list of known hosts. > Warning: the RSA host key for 'lathe' differs from the key for the IP > address '192.168.71.5' > Offending key for IP in /home/gene/.ssh/known_hosts:3 > Are you sure you want to continue connecting (yes/no)? yes > gene@lathe's password: > Linux lathe 3.4-9-rtai-686-pae #1 SMP PREEMPT Debian 3.4.55-4linuxcnc > i686 > > The programs included with the Debian GNU/Linux system are free software; > the exact distribution terms for each program are described in the > individual files in /usr/share/doc/*/copyright. > > Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent > permitted by applicable law. > Last login: Thu May 7 09:50:42 2015 from coyote.coyote.den > > So which key is it yelling about this time? Deleted key #3 here, tried > again. Update-manager errors out, can't open display. > > I didn't intend to file a Garrson Keeler report from Lake Woebegone, but > it this was paper, the amazon would be a desert. > > Thanks Mark. > > Cheers, Gene Heskett > Okay, lets try this for grins and giggles. Edit the sshd_config, and change the StrictModes from yes to no. Restart sshd. Then rename the /home/gene/.ssh/known_hosts to /home/gene/.ssh/known_hosts.old. Try logging in again with the three "v's" for verbosity and lets see what we get. Try it with the -Y first, then with the -X. Lets see what the debug reports. Mark ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Emc-users mailing list Emc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/emc-users
